import { iOS, isSafari } from '../utils'

// See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe for details about sandbox
// `sandbox` works like a whitelist: by default, almost every functionality is restricted.
export const appIframeSandbox = [
  // Allows downloads to be initiated by the user
  // Required for Chrome 83+ (see https://www.chromestatus.com/feature/5706745674465280)
  'allow-downloads',

  // Allow forms to be submitted
  'allow-forms',

  // Allows new browsing contexts to be created (window.open, target="_blank").
  'allow-popups',

  // Allows new browsing contexts (e.g. new windows or tabs) generated by the
  // iframe to escape the sandbox restrictions. Otherwise, new contexts would
  // share the same restrictions as their originating iframe (in our case, the
  // new contexts would only have the ability to run JavaScript).
  'allow-popups-to-escape-sandbox',

  // Gotta run 'em all!
  'allow-scripts',

  // Note that we haven't enabled:
  //   - 'allow-same-origin':
  //       The most important security setting: leaving this disabled lets the
  //       iframe be considered as coming from a unique, orphan origin. This
  //       means that the page won't have access to any cookies, local/session
  //       storage, or access to open pages (e.g. the parent window, this Dapp).
  //
  //       However, this does force some restrictions:
  //         - `window.postMessage()` must use `*` as an origin to communicate
  //           with this iframe
  //         - React devtools can't be hooked in from the browser, so you have
  //           to use the native `react-devtools` electron app for debugging
  //
  //  - 'allow-top-navigation':
  //       Leaving this disabled disallows the iframe from navigating the
  //       Dapp's context (e.g. to a malicious page)
].join(' ')

export const workerFrameSandbox = [
  // Needed to run the script that starts the WebWorker in the iframe
  'allow-scripts',

  // Note that we haven't enabled 'allow-same-origin' as this is what creates
  // the opaque origin for the WebWorkers
].join(' ')

// The sandbox is disabled because macOS Safari and iOS browsers do not allow
// blobs to be read in sandboxed iframes: https://bugs.webkit.org/show_bug.cgi?id=170075
export const workerFrameSandboxDisabled = iOS || isSafari
